Brit Spies Spoof LinkedIn Pages to Track Targets

Officially, no one knows anything, but if the latest revelations from Edward Snowden's storehouse of inside information on global surveillance activities can be believed, then it's highly likely Britain's counterpart to the NSA has been hacking into telecoms. GCHQ apparently redirected network engineers to spoofed LinkedIn pages and loaded their computers with malware to gain access.

The first known attack was on Belgacom, a telecom firm partly owned by the Belgian government, according to a top secret GCHQ presentation revealed by NSA whistleblower Edward Snowden. That attack was among projects launched by GCHQ to infiltrate foreign networks.

The British intelligence agency also targeted international mobile billing clearinghouses, which process international payment transactions between wireless companies.

Hitting US Companies

Syniverse and Mach, a company it acquired in July, are high on the list of clearinghouses GCHQ has targeted for such penetration, according to Der Spiegel.

GCHQ apparently has targeted three network engineers at Mach, using the Quantum Insert method.

Syniverse provides solutions that let different mobile technologies interoperate around the world. With its acquisition of Mach, it serves more than 1,500 mobile service providers, enterprises, ISPs and app providers in nearly 200 countries.

"There have been no known breaches of the Syniverse or Mach data centers by any government agency," Syniverse spokesperson Bobby Eagle told TechNewsWorld. "Privacy and confidentiality are essential priorities for Syniverse, and we take these matters very seriously."

The Essence of GCHQ's Attack

The British intelligence service is, basically, redirecting traffic to and from targets to a server between them so it can intercept communications.

This is known as a "man in the middle" attack.

Such attacks are commonly used on the banking sector. iMessages
are vulnerable to MITM, Quarkslab disclosed in October.

We Are the (Tainted) World

GCHQ's techniques are strikingly similar to the ones used by cybercriminals when they launch targeted attacks, such as spearphishing.

The agency first determines who works for a target company using publicly available data such as the victim's LinkedIn profile. It apparently focuses on IT personnel and network admins because they have extensive access privileges on their computers.

The agency then gathers all available information about its victim -- in one case, even gaining access to cookies on a victim's PCs -- then develops what are essentially viruses in payloads customized for the victim's computers.

One method of attack involved concealing the malware payloads on spoofed versions of victims' LinkedIn pages. Pulling up the fake profile would launch the malware into the victim's computer.

"We have never cooperated with any government agency, nor we have any knowledge, with regard to these actions," LinkedIn spokesperson Julie Inouye told TechNewsWorld.

"To date, we have not detected any of the spoofing activity that is being reported," she said. "LinkedIn takes the privacy and security of our members very seriously, and when we're made aware of any activity that may be considered problematic, we work to quickly shut it down."

The Sincerest Form of Flattery

It appears that GCHQ borrowed heavily from the United States' National Security Agency.

The NSA
places secret servers, codenamed "Quantum," at key places on the Internet backbone as part of its so-called "Turmoil" system, according to security specialist Bruce Schneier.

Once the Quantum servers are in place, a query to a website they are spoofing hits them before it hits the legitimate site. The query is then redirected to another set of secret Internet servers, codenamed "FoxAcid," Schneier said.

The FoxAcid servers then inject malware into victims' PCs to compromise them.

It's not clear whether the UK agency is using the same technology as the NSA, although Der Spiegel uses the term "Quantum Insert" in its description of the GCHQ attacks.

"Capturing large amounts of Internet traffic and redirecting it like that should be off limits," the ITIF's Castro remarked.